[Bug]: Security & setup warning ; "The 'Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds'

[RobMahn]

⚠️ This issue respects the following points: ⚠️

• [X] This is a bug, not a question or a configuration/webserver/proxy issue.
• [X] This issue is not already reported on Github (I've searched it).
• [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• [X] Nextcloud Server is running on 64bit capable CPU, PHP and OS.
• [X] I agree to follow Nextcloud's Code of Conduct.

Bug description

The 'Security & setup warning' 'The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds' is displayed when configured as documented for "Nextcloud in a subdir of the NGINX Webroot".

I have found that if I move the other "HTTP response headers borrowed from Nextcloud .htaccess" from the location specific section to the global section immediately following the Strict-Transport-Security line, the error will go away.

I assume that the test is incorrect, rather than the documentation, as it seems the global setting should work with the other settings being location specific.

Steps to reproduce

1. Configure "Nextcloud in a subdir of the NGINX Webroot" per the documentation.
2. Setup your server's name and certificates.
3. In your servers NGINX config file, copy the line: #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
4. Insert the copied line without the comment and remove preload.

Expected behavior

The configuration warning does not display when configured as documented.

Installation method

None

Nextcloud Server version

26

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.1

Web server

Nginx

Database engine version

PostgreSQL

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• [X] Default user-backend (database)
• [ ] LDAP/ Active Directory
• [ ] SSO - SAML
• [ ] Other

Configuration report

No response

List of activated Apps

Enabled:
  - activity: 2.18.0
  - bruteforcesettings: 2.6.0
  - cloud_federation_api: 1.9.0
  - dashboard: 7.6.0
  - dav: 1.25.0
  - external: 5.1.0
  - federatedfilesharing: 1.16.0
  - files: 1.21.1
  - files_external: 1.18.0
  - files_external_onedrive: 1.1.0
  - files_inotify: 0.1.14
  - files_pdfviewer: 2.7.0
  - files_rightclick: 1.5.0
  - files_sharing: 1.18.0
  - files_trashbin: 1.16.0
  - files_versions: 1.19.1
  - fileslibreofficeedit: 1.1.0
  - group_everyone: 0.1.12
  - impersonate: 1.13.0
  - logreader: 2.11.0
  - lookup_server_connector: 1.14.0
  - memories: 5.0.5
  - music: 1.8.3
  - nextcloud_announcements: 1.15.0
  - notifications: 2.14.0
  - oauth2: 1.14.0
  - occweb: 0.1.0
  - password_policy: 1.16.0
  - photos: 2.2.0
  - previewgenerator: 5.2.4
  - privacy: 1.10.0
  - provisioning_api: 1.16.0
  - recognize: 3.7.0
  - related_resources: 1.1.0-alpha1
  - serverinfo: 1.16.0
  - settings: 1.8.0
  - sharebymail: 1.16.0
  - support: 1.9.0
  - systemtags: 1.16.0
  - text: 3.7.2
  - theming: 2.1.1
  - twofactor_backupcodes: 1.15.0
  - twofactor_email: 2.7.2
  - twofactor_gateway: 0.20.0
  - twofactor_nextcloud_notification: 3.6.0
  - twofactor_totp: 8.0.0-alpha.0
  - twofactor_webauthn: 1.1.2
  - updatenotification: 1.16.0
  - viewer: 1.10.0
  - weather_status: 1.6.0
  - workflow_media_converter: 1.7.0
  - workflowengine: 2.8.0
Disabled:
  - admin_audit: 1.16.0
  - circles: 26.0.0 (installed 26.0.0)
  - comments: 1.16.0 (installed 1.16.0)
  - contactsinteraction: 1.7.0 (installed 1.7.0)
  - encryption: 2.14.0
  - federation: 1.16.0 (installed 1.16.0)
  - firstrunwizard: 2.15.0 (installed 2.15.0)
  - recommendations: 1.5.0 (installed 1.5.0)
  - survey_client: 1.14.0 (installed 1.14.0)
  - suspicious_login: 4.4.0
  - user_ldap: 1.16.0
  - user_status: 1.6.0 (installed 1.6.0)

Nextcloud Signing status

No response

Nextcloud Logs

No response

Additional info

No response

[kesselb]

Hi,

The test for strict-transport-security are done by your Browser. A good way to debug those requests is your browsers network inspector.

Starting point: Is the request done to the right path? If nextcloud is installed at domain.com/cloud but the request for the strict-transport-security goes to domain.com nextcloud is not configured properly.

[Ho551]

Hi :) I have a similar issue. When loading the overview the first time, all checks passed. When I reload I'm getting the same error. When I reload by "Shift+F5" all checks pass again. I don't know wich version causes this problem, but it occures at least a longer time. My setup: apache2 + PHP8.1

[joshtrichards]

This is correct behavior for NGINX inheritance since add_header lines are not inherited (integrated) at a lower level if there are add_header lines at that lower level. See:

• https://nginx.org/en/docs/http/ngx_http_headers_module.html
• https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/

Perhaps it could be better documented in the example configuration that enabling add_header lines at different levels means considering the implications on one's add_header lines elsewhere, but that's more a general NGINX configuration matter than NC specific (and NGINX isn't officially supported).

As an additional bit of sanity checking, you can verify the configured headers are being sent with this command (if you don't feel like digging around in your browser console):

curl --head http[s]://nc-test.mydomain.com

This would be a good situation to post about over at the Nextcloud community forums (https://help.nextcloud.com/). I suspect others have - or will - encounter it.